Funny: MS Vista Exploit Allows Myspace Sites to Control Your

[DLSS]

Actually, this is hilarious. Microsoft has spent the last 5 years trying to secure their operating system and on the first day it goes on the market, someone figures out the easiest security hole ever.

Even Jon Stewart, after asking Bill Gates what the F12 key does on the Daily Show last night, knew enough to ask Gates about the security issue. And according to an NPR broadcast I heard recently, it's a big deal for the company and the stockholders - one guest even speculated that if Vista proves to be no better than XP, MS could take a severe hit.

And now, it turns out, even Jon Stewart may be able to hack Vista.

Turns out, because Vista has its new HAL900 like voice command system, anyone with a Myspace page can trigger that command (if it's running) with an audio file set to start when the visitor clicks. This exploit was tested by ZD Net's George Ou.

I recorded a sound file that would engage speech command on Vista, then engaged the start button, and then I asked for the command prompt. When I played back the sound file with the speakers turned up loud, it actually engaged the speech command system and fired up the start menu. I had to try a few more times to get the audio recording quality high enough to get the exact commands I wanted but the shocking thing is that it worked! Anyone that's ever visited MySpace knows how many annoying webpages out there that will start blasting loud MP3 music as soon as they enter the page.

So, while this is not the same as an exploit that will allow a remote hacker to run code, Ou points out that being able to remotely launch commands is still a serious problem.

There are some mitigating factors but there is no doubt this is still a serious exploit. Most people won't have Vista speech commands configured and enabled but if they do, the speech command control console will automatically load with the operating system and park itself on the top of the desktop waiting for audio commands. The other mitigating factor is that if you visit a webpage and it starts barking out slow and loud Vista speech commands, it will be rather obvious to most people that something is very wrong. But it's still possible that a webpage might delay the sound playback and hope that the user is not around to stop the exploit.

So watch out for songs scurrilously titled, "Shut Down" or "Restart" on iTunes. XD

(source : www.dailykos.com)

more info -> http://blogs.zdnet.com/Ou/?p=416

[anyedie]

mml, now people will say that screaming ' REBOOT' is hacking.

[Sparda]

A friend of mine was adiment on getting a copy of vista for his new £900 laptop as soon as it came out.

He didn't need it for any thing specifically, so I managed to convince him to wait until service pack 1 is released. The jokes about how people would sneak up behind him and yell "SHUTDOWN" at his laptop are never ending :D

[Deveant]

lol thats pretty kool, at my skool (tershary education) there ate tons of users using laptops, i can just imagin in the near future, sitting in a lecture hall, and the instructed mentions shutdown in his speach, and u just see all these laptops casscadingly shutdown in front of you :P

[Cosmo]

That would be an awesome prank, but the downfall is you have to have a mic on your laptop.

Maybe a batch file that runs "reboot.wav" at random times would be better.

[Paralys]

lol thats pretty kool, at my skool (tershary education) there ate tons of users using laptops, i can just imagin in the near future, sitting in a lecture hall, and the instructed mentions shutdown in his speach, and u just see all these laptops casscadingly shutdown in front of you :P

lol hey, that'd look kinda cool in the dark huh?

[Garda]

is it just me, or can this be said to be the biggest security hole in any piece of technology ever

i mean, this is basically just one step away from having a big button at startup that's just called, "root this computer"

[majk]

I'm sure you could use it to annoy the user. But to make the computer do some advanced task to take control of it will probably be hard.

[Sparda]

"Open documents folder", "Select all", "Delete", "Yes", "empty recycle bin" yep, very hard :P

There is of course also: "open Word", "font size 100", "You are a total fucking loser for using myspace", "file, print", "100 copies", "print", "lock computer"

[DLSS]

"Open documents folder", "Select all", "Delete", "Yes", "empty recycle bin" yep, very hard :P

There is of course also: "open Word", "font size 100", "You are a total fucking loser for using myspace", "file, print", "100 copies", "print", "lock computer"

XD <3 sparda

[majk]

"Open documents folder", "Select all", "Delete", "Yes", "empty recycle bin" yep, very hard :P

There is of course also: "open Word", "font size 100", "You are a total fucking loser for using myspace", "file, print", "100 copies", "print", "lock computer"

Well that's not exactly taking control of it, and it would probably be hard to get all those commands to execute properly. And the user would have plenty of time to close the site.

[Paralys]

True, that would take too long, so....

Hows this? Something like "Command Prompt" "Format C:"

:D

[majk]

True, that would take too long, so....

Hows this? Something like "Command Prompt" "Format C:"

:D

AFAIK you can't format C: like that if you're in Windows and Windows is installed on C:.

[jarrydn]

I haven't used speech recognition in yeaaars, but I distinctly remember that you could mutter any old garbage into the microphone, and the software would attempt to make some sense of it.

If windows Vista has the same "go get 'em" attitude to speech recognition...perhaps you could find away to fool it into executing commands, hidden/modulated inside of incomprehensible gibberish or noise :)